Cool project!<p>OAuth-based auth providers are nice, but they can have a weakness. When you have just one app, OAuth can be overkill: protocol is complex, and users suffer jarring redirects¹.<p>This is not surprising, because OAuth / OIDC is fundamentally designed for (at least) three parties that don't fully trust each other: user, account provider and an app². But in a single app there are only two parties: user and app itself. Auth and app can fully trust each other, protocol can be simpler, and redirects can be avoided.<p>I'm curious what OpenAUTH authors think about it.<p>¹ Except for Resource Owner Password Credentials (ROPC) grant type, but it's no longer recommended: <a href="https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics#section-2.4" rel="nofollow">https://datatracker.ietf.org/doc/html/draft-ietf-oauth-secur...</a><p>² In addition, OAuth is mostly designed for and by account providers, and follows their interests more than interests of app developers.